practical and strategic considerations in today's eu … · 2016-02-01 · practical and...

Practical and Strategic Considerations in Today’s EU Data Transfer Landscape

28 January 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Panelists

Follow us: @AlstonPrivacy www.AlstonPrivacy.com

Working Party on Schrems

3


Commission Statement on Schrems


The GDPR Is Happening . . .

5


The NIS Directive (in case you missed it)

6


What about the DPAs?


Safe Harbor 2.0 / Related Discussions

8


Will there be SH2.0, and if so, when?


What do we “know” about SH2.0?

10

- Effective redress and installation of ombudsman

- Umbrella Agreement issued by the DOJ

- Annual review of SH 2.0. framework

- Reluctance of US to make promises about foreign intelligence activities in an agreement about commercial trans-border data flows


Practical Developments Since October 6

11

- DPAs have invited companies to remediate Safe Harbor transfers:

- Czech Republic

- Spain

- Portugal

- France

- Many companies updated Notifications and submitted Transfer Agreements


Post Schrems Issues / Friction

12

- Pre Schrems – Model Clauses were previously disfavored by certain

vendors

- Post Schrems – voila! . . . Sign our form and our addendum . . .

- Some vendors offer data storage in the EU

- Navigating between DPO and Works Council Options

- Model Clauses are not appropriate for every situation

- Information Security requirements in Controller-Processor Agreements

- Volume of Work for all parties


What will happen next?

13

- Commission and WP29 assess the situation/US law

- WP29 February 2 meeting:

– Will review draft findings on “essential equivalence” of US legal order for surveillance

– Securing adequacy findings

• Addressing powers of DPAs to suspend data streams

– Securing Model Clauses

• Arguably not that vulnerable – strong DPA oversight as emphasized by the ECJ in Schrems

• But DPAs could in theory suspend data streams to the US in reaction to complaints

• Importance of political agreement between US/EU


What might happen next?

14

- DPA can knock on your door…

- WP29 threatens with enforcement actions in its October 16 statement

- Complaints that were on hold may be investigated as of February

- New complaints may be filed


What Should Companies Do to Prepare?

15

- If SH2.0 – relief will not be immediate

- Good faith temporary enforcement delay?

- Continue to implement alternative transfer solutions for Short /

Intermediate Term

- Focus on most critical / most sensitive data flows

- Additional frenzy of Model Clause execution

- Additional Notification updates


Balancing Risk Factors

• Practical risk mitigation

– Document post-Schrems efforts, even if you were not

100% successful

• Works Councils

• Positions of individual DPAs in relevant countries

• Scale of data: Data driven companies (B2B v. B2C)

• Type of data: sensitive v. non-sensitive


- EC Communication specifically contemplated

“additional safeguards”

- Strong argument can be made that US surveillance

framework does not constitute “disproportionate

mass surveillance”

- Consider documenting analysis of proportionality

17

Additional Safeguards


Is All of this a Waste if SH2.0. Is

Adopted?

- No – always a danger that enforcement actions were

to be launched as of next month

- Start a Broader Conversation with Executives

- BCRs

- GDPR Preparation and Planning

Practical and Strategic Considerations in Today’s EU Data Transfer Landscape

28 January 2016

practical and strategic considerations in today's eu … · 2016-02-01 · practical and...

Documents